AitM Phishing Attacks on Microsoft 365 and Google Aimed at Stealing Login Credentials

A dramatic escalation in phishing attacks leveraging Adversary-in-the-Middle (AiTM) techniques has swept across organizations worldwide in early 2025, fueled by the rapid evolution and proliferation of Phishing-as-a-Service (PhaaS) platforms.

Sekoia researchers and threat intelligence teams are sounding the alarm as these attacks become more complex, harder to detect, and increasingly effective at bypassing even advanced security measures like Multi-Factor Authentication (MFA).

Unlike traditional phishing, AiTM attacks use sophisticated reverse proxy servers to intercept user credentials and session cookies in real time.

When a victim clicks a link in a phishing email often disguised as a legitimate corporate communication they are taken to a fake login page that closely mimics trusted services such as Microsoft 365 or Google.

As the victim enters their credentials and MFA codes, the AiTM server relays this information to the real authentication service, capturing the session cookie that grants access.

With ...